Ensure that your Amazon EKS cluster's Kubernetes API server endpoint is not publicly accessible from the Internet in order to avoid exposing private data and minimizing security risks. The level of access to your Kubernetes API server endpoints depends on your EKS application use cases, however, for most use cases Cloud Conformity recommends that the API server endpoints should be accessible only from within your AWS Virtual Private Cloud (VPC).
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- APRA
- MAS
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
During each cluster launch, Amazon EKS creates an endpoint for the managed Kubernetes API server that you can use to communicate with your newly created cluster. By default, this API server endpoint, managed by AWS EKS, can be accessed directly, outside of a Virtual Private Cloud (VPC), therefore every machine on the Internet can reach your EKS cluster through its public endpoint and this can increase the opportunity for malicious activities and attacks. To follow security best practices, you can completely disable public access to your API server endpoint so that it's not accessible anymore from the Internet.
Audit
To determine if your AWS EKS cluster endpoints are publicly accessible, perform the following actions:
Remediation / Resolution
To reconfigure the visibility of your EKS cluster API server endpoints to the Internet in order to disable public accessibility, perform the following actions:
References
- AWS Documentation
- Amazon EKS FAQs
- Amazon EKS Clusters
- Amazon EKS Cluster Endpoint Access Control
- AWS Command Line Interface (CLI) Documentation
- eks
- list-clusters
- describe-cluster
- update-cluster-config
- describe-update
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Publicly Accessible Cluster Endpoints
Risk level: Medium